About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Sunday, December 29, 2013

Chikdos.A - CRIME strings

File: Chikdos_10E7876FD639EA81767315CD178873C0_59870.exe_Win
MD5:  10e7876fd639ea81767315cd178873c0
Size: 579584

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich+w
.text
`.rdata
@.data
.rsrc
@.reloc
QSUV
SUVW
9\$,r
D$49\$Hs
D$4PUh
D$49\$Hs
D$4P
|$49\$Hs
9\$Hs
D$4h
D$TP
D$49\$Hs
D$4P
9\$Hr
L$4Q
Y_^][
u"h<
u"h`
D$$Vh
 SUVW
D$$;
_^][
T$(+T$$u
L$$j
PWQV
T$(+T$$u
+D$$u
T$$3
QWRV
D$$;
_^][
j,h4
j-h|
D$l9
D$lj
9t$,s
9t$,s
9t$,s
D$49t$Hs
D$4Pji
9t$ds
D$PPjj
9t$,s
9t$,s
9t$,s
9t$Hs
D$4j
9t$,s
9t$,r
9t$dr
L$PQ
9t$Hr
T$4R
D$lP
Y_^[
t$$j
D$Hd
L$$Q
D$(d
D$83
L$(d
PQVW
|$ W
D$$P
Y_^[
WUQP
SUVWh
D$$PS
_^][
0WWWWW
X_^]
h$0A
_^[]
tG9}
0WWWWW
VVVVV
^[_3
54AA
PPPPP
WWWWW
@uwV
WWWWW
WWWWW
@uwV
WWWWW
SSSSS
Ph`0A
WWWWW
_^[]
WWWWW
=@AA
QQSVWd
QSVW
5@BA
=<BA
%0BA
-,BA
QSVW
5lDA
0SSSSS
_^[]
t&:a
5@]A
5$MA
=P4A
uNSW
PPPPP
@u^V
, <Xw
t%HHt
HHtXHHt
HHty+
RPSW
90tV
>If90t
WSj0
WSj
Y__^[
35`0A
9csm
h`0A
h`0A
^_[3
% MA
F\=P
teh7]@
WWWWW
j@j ^V
[j@j
5 LA
VVVVV
<at9<rt,<wt
SSSSS
tVHtG
tEHt1
>=upF
SSSSS
;5@]A
URPQQh
L$,3
UVWS
[_^]
SVWj
hCj@
_^[]
WWWWW
~,WPV
;5@]A
98t^
tVPV
t/9U
8csm
=P0A
VVVVV
PPPPP
<v8V
VVVVV
VVVVV
VVVVV
=P0A
S99t
58AA
58AA
>=Yt1j
tNVSP
PPPPP
58AA
%8AA
Y[_^
>"u&
< tK<
@@f9
@@f9
SSS+
@PWSS
t!SS
5`0A
5d0A
@_^]
=MOC
=csm
8csm
9csm
~SSV
j,hP
~@;H
>csm
taSV
YYPV
t)SV
Hu4j
>MOC
s[S;7|G;w
9>u&
tR99u2
r,9Y
@_^[]
oV f
o^0f
of@f
onPf
ov`f
o~pf
ueSj
@_^[
 VW}
j?^;
%HJA
u,9E
WWWWW
VVVVV
0A@@Ju
=H>A
Y_^[]
_^[]
Fpt"
^SSSSS
j"^SSSSS
QSWVj
N+D$
_^[]
Y_^[
Y_^[
SSSSS
SSSSS
tl9]
tC9]
Ht$C
CC@@
Ht(f
CC+]
VVVVV
WWWWW
WWWWW
VVVVV
VVVVV
VVhU
WWWWW
SSSSS
tGHt.Ht&
^SSSSS
;t0;
8VVVVV
t(9u
SSSSS
SSSSS
ti9]
6f;p
r0f;p
tH9]
6f;H
r0f;H
u!f;
SSSSS
SSSSS
tA9]
t_8]
t 9]
SVWUj
]_^[
;t$,v-
UQPXY]Y[
=P0A
VW|[;
=P0A
_^[]
VVVVV
j@j
SSSSS
j h8
t+Ht
PPPPP
0SSSSS
_^[]
_^[]
0SSSSS
VVVVV
WWWWW
uaVj
uL9=PJA
wIVSP
9=PJA
FVSj
u8SS3
GWhT
9] u
9]$SS
t)9]
t"SS9]
9] u
FVhT
9] SS
v$;5,?A
PPPPPPPP
tR:Q
t<:Q
t&:Q
PPPPPPPP
WWWWW
u+9u
95P?A
=P?A
5P?A
~%9M
r 8^
SVW3
_^[u
VVVVV
VW9]
SSSSS
SSSSS
u99u
VVVVV
WWWWV
t<Vj
t+WWVPV
string too long
invalid string position
Unknown exception
(null)
( 8PX
700WP
`h````
xpxxxx
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
UTF-8
UTF-16LE
UNICODE
CorExitProcess
runtime error
TLOSS error
SING error
DOMAIN error
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
bad exception
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
 new
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
('8PW
700PP
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationA
GetLast
ActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
.bak
pszTgtFile(%s)
strTgtBak(%s)
Windows NT
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 32s
Windows Unknown
CreateService OpenSCManager Failed %d
CreateService CreateService Failed %d
DeleteService OpenSCManager Failed %d
DeleteService OpenService Failed %d
StartService OpenSCManager Failed %d
StartService OpenService Failed %d
StopService OpenSCManager Failed %d
StopService OpenService Failed %d
%s - %d
C:\Program Files\DbProtectSupport
C:\Program Files\DbProtectSupport\npf.sys
C:\Program Files\DbProtectSupport\Packet.dll
2008
2003 sys %d
C:\Program Files\DbProtectSupport\svchost.exe
DbProtectSupport
UnInstallService DbProtectSupport %d
UnInstallService NPF %d
dm1712/`jvpnpkte/bpl
68961
InstallService NPF %d
InstallService DbProtectSupport %d
vector<T> too long
bad allocation
RSDSxxy
E:\SVN\trunk\2014\
\IntergrateCHK\Release\IntergrateCHK.pdb
GetModuleFileNameA
FindResourceA
LoadResource
SizeofResource
DeleteFileA
CreateFileA
WriteFile
CloseHandle
GetVersionExA
GetLastError
Sleep
SetFilePointer
GetSystemWow64DirectoryA
CreateDirectoryA
KERNEL32.dll
OpenSCManagerA
CreateServiceA
CloseServiceHandle
OpenServiceA
DeleteService
StartServiceA
ControlService
ADVAPI32.dll
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCommandLineA
RaiseException
RtlUnwind
HeapFree
HeapAlloc
EnterCriticalSection
LeaveCriticalSection
GetModuleHandleW
GetProcAddress
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
ExitProcess
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
VirtualAlloc
HeapReAlloc
HeapSize
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
MultiByteToWideChar
ReadFile
InitializeCriticalSectionAndSpinCount
GetConsoleCP
GetConsoleMode
SetStdHandle
FlushFileBuffers
LoadLibraryA
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetEndOfFile
GetProcessHeap
.?AVout_of_range@std@@
.?AVtype_info@@
.?AVbad_exception@std@@
                       
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                       
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVbad_alloc@std@@
.?AVCLZSS@@
!Thi
s progra
m cannot
 be run
in DOS m
ode.
.text
`.rda
.rsr
6,.@
.reloB
2?D?V?h?z?
bIWnH
|$ W
IBG3
wP wP
@H9RHD
H4NC3
Ah _D
7BS3
NC^@
:Q\$|
\$lO
`uAhP
~@Lg$p
0P9@P
>Zsj
9l$,r
D$,9R\$(
pT$4
Q9-n
QhHQp
t$@+
9t$}d
Fo P
pD_$lP
aPV][\
Q#`[
PN f
NK^@;b
QhPQpR
|$0*7r
qXQpQ
09Jb
`?JN
@8SH
JVo3
cOuIt$
+N 3
F)q.
~@F}
YN@0./
{UVI
0UVA0SD4,L0*
KWUV0<
sM9
y&VP
@fpP
qeec
PQRV
'RhQ
Rpu@
y@~}B
 }\3
#?56
t0SR
tFzb
V QR
]# ]#e$
o,QV
\ t<r
oh<_D
 p)Apn
] SU0
@L$<+L?$8u
U8OP(P(R
#6x$v
@0u<@0@@0D
!@0
1~@;
2D$L
3DCz
2L$\
/ IhtI
9t$
0`38
0Ka+
}cc3
H`?"l
][H`
4vAp
*Ka0,
@'Q(
HQe"
y%}&
L$49
<P(_!HR
j^5(sA8
"l$4+_
Hfj L\
`MQd
^54"
dPhKah
j  p0
,p00p04
@j \%
`t~!
P?dWQ
'rG?8
PTpL
V@P#_!<
Y"@_!@R
QHj D
t~#T
R2CX2S
]"Yc?u?C
V QR
R2F{
b@&s
}p>a
~e R
eD$`
;~Tt
`I0T
HP+H
gffwf
qO +O
p;|$
#>q0r
yG0q
SP_+SL
G0JU04R3
PP^I
"D$p
tpRQ
QRUV
VPUE
SV#X
8>p3
'e^2`
VR`#X
5laj
0`6c>c
xX0!`M
SWVP
$QRP
^&q_
+a6e
s!\^fP
as 3
PQRQw
%BRPSv
lhb;
4l$t
{HAJ
WQWV
QP?Q+
,RQH
p&q(j
hh:s-(Aq,
S"v0W
9|$,u?
=bra6_
?'QUW
F%4t
j&q$
pT/rB
$Aq(@
tD$t
V2Lj
t$}0=
:s4Aq8
9*u |
N/0,
8X,u
8Z,tnH0
^,H0k
Y,Po
23`/
"Q!t$
^-u<
8_-t
WV{P
QWQR7
n U+
,QH`
vA_
Xp \p
(u V(
#auo
OWpV[p
|$Hzw
\$Tw
T$ ;
L$dQ
`T$$
\$ {
t$`V.Z
/@(;
X`^T
P!/@T
+L$WL
t$8+t$4
3A8VW
T$4E
4A;
u(+!
aWPQ
P3,/<
/@$;!
;^&!
tP03
IP1t
Hnc@R
t!5Q
P5QzbaQ:
d0`
Q#0{
yDBO
tP&0
b#GQc
I #G
!zSU
 4:`
L$tSPVPg
Jd08Y-,0Q
F,B0v
08_n1O
yy8O
a?R0u
l?~;
Ayt@
r6A91s
_]=[
_]a]
aawR
Ia9g
!9t$
0?PQ
 rRaW
aa[VPm
&7q+
,sPV
T$HR
D_$HP
Dj!`{hph
|?$$
4#>.
_GX3
0GlP
ws@T
z{P+
P\$H
TP:RP
RD$?
caf`S
u)h|
9^Hr
ue^sMFeqF4
`<.t
T$Ts
L$hP
D$/\
QRUP
=x!3
Q3qg
hpqp
D$L@
+L$`
_P(-
C ;VQ,
P#:D
gfff
|I@V
H +H
K +K
$E!N
'1~8@
 +OT/f"
'1_2
\$]$d?
a'1D
eAW~w"
JeO:wO%
(CSU
-----------------------------------------------------------------snip
8C:I:N:T:[:m:
<*<E<b<
h1l1p1t1x1
24282\2`2
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
l0p0
1,10141<1T1d1h1x1|1
2$2<2L2P2X2p2
3 3@3H3P3T3X3`3t3
4,404P4p4
5 5@5`5
6$60686h6p6t6
7$7(7D7H7h7
8$8(8H8d8h8
909P9p9
: :(:,:4:<:l:|:
;(;4;T;`;
0$0(0,000
1p4t4
5$5,545<5D5L5T5\5d5l5t5|5
<h<x<
=@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
? ?$?(?,?8?

Unicode Strings:
---------------------------------------------------------------------------
jjjjj
A(null)
KERNEL32.DLL
mscoree.dll
         (((((                  H
         h((((                  H
                                 H
imes
\Ll|
TDdt